block by partial dns name

TauriRed · Sep 15, 2022

I sometimes got spam like this

Sep 15 23:03:22 mail-gw postfix/smtpd[292986]: warning: hostname enchanting-part.aeza.network does not resolve to address 45.138.74.205
Sep 15 23:03:22 mail-gw postfix/smtpd[292986]: connect from unknown[45.138.74.205]
Sep 15 23:03:23 mail-gw postfix/smtpd[292986]: Anonymous TLS connection established from unknown[45.138.74.205]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 15 23:03:24 mail-gw postfix/smtpd[292986]: 2436160EEC: client=unknown[45.138.74.205]
Sep 15 23:03:24 mail-gw postfix/cleanup[292992]: 2436160EEC: message-id=<e44bb3b2bb7dd559ce5172b67a4677e5@novickoe.ru>
Sep 15 23:03:24 mail-gw postfix/qmgr[23479]: 2436160EEC: from=<akciya_topliw0-50_py2923@novickoe.ru>, size=11491, nrcpt=1 (queue active)
Sep 15 23:03:24 mail-gw postfix/smtpd[292986]: disconnect from unknown[45.138.74.205] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 15 23:03:24 mail-gw pmg-smtp-filter[292110]: 60F8D63235ADC5CF91: new mail message-id=<e44bb3b2bb7dd559ce5172b67a4677e5@novickoe.ru>#012
Sep 15 23:03:35 mail-gw pmg-smtp-filter[292110]: 60F8D63235ADC5CF91: SA score=0/5 time=10.979 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),KAM_SHORT(0.001),RDNS_NONE(0.793),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01),T_SCC_BODY_TEXT_LINE(-0.01),T_SPF_HELO_TEMPERROR(0.01),URIBL_DBL_ABUSE_REDIR(0.001)
Sep 15 23:03:35 mail-gw pmg-smtp-filter[292110]: 60F8D63235ADC5CF91: accept mail to <<<censored> (6307C61166) (rule: default-accept)
Sep 15 23:03:35 mail-gw pmg-smtp-filter[292110]: 60F8D63235ADC5CF91: processing time: 11.036 seconds (10.979, 0.027, 0)
Sep 15 23:03:35 mail-gw postfix/lmtp[292993]: 2436160EEC: to=<<censored>, relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=0.9/0.01/0/11, dsn=2.5.0, status=sent (250 2.5.0 OK (60F8D63235ADC5CF91))
Sep 15 23:03:35 mail-gw postfix/qmgr[23479]: 2436160EEC: removed

or
Sep 13 15:00:59 mail-gw postfix/smtpd[264236]: warning: hostname giving-tendency.aeza.network does not resolve to address 89.185.85.214
Sep 13 15:00:59 mail-gw postfix/smtpd[264236]: connect from unknown[89.185.85.214]
Sep 13 15:00:59 mail-gw postfix/smtpd[264236]: Anonymous TLS connection established from unknown[89.185.85.214]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 13 15:01:00 mail-gw postfix/smtpd[264236]: C35E760DEA: client=unknown[89.185.85.214]
Sep 13 15:01:00 mail-gw postfix/cleanup[264242]: C35E760DEA: message-id=<fcd1b3944f7c8ac3b95155ee76514f53@ctirka-oz.ru>
Sep 13 15:01:00 mail-gw postfix/qmgr[23479]: C35E760DEA: from=<p0darki_na_yubilei_5401@ctirka-oz.ru>, size=10938, nrcpt=1 (queue active)
Sep 13 15:01:00 mail-gw postfix/smtpd[264236]: disconnect from unknown[89.185.85.214] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 13 15:01:01 mail-gw pmg-smtp-filter[263400]: 60F8B632046CD009DB: new mail message-id=<fcd1b3944f7c8ac3b95155ee76514f53@ctirka-oz.ru>#012
Sep 13 15:01:10 mail-gw pmg-smtp-filter[263400]: 60F8B632046CD009DB: SA score=0/5 time=9.606 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_SHORT(0.001),PLING_QUERY(0.1),RCVD_IN_HOSTKARMA_BL(1.5),RDNS_NONE(0.793),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01),T_SCC_BODY_TEXT_LINE(-0.01),T_SPF_HELO_TEMPERROR(0.01),URIBL_DBL_ABUSE_REDIR(0.001)
Sep 13 15:01:10 mail-gw pmg-smtp-filter[263400]: 60F8B632046CD009DB: accept mail to <<<censored>> (A3D6061146) (rule: default-accept)
Sep 13 15:01:10 mail-gw pmg-smtp-filter[263400]: 60F8B632046CD009DB: processing time: 9.675 seconds (9.606, 0.04, 0)
Sep 13 15:01:10 mail-gw postfix/lmtp[264243]: C35E760DEA: to=<<censored>>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=1.3/0.02/0/9.7, dsn=2.5.0, status=sent (250 2.5.0 OK (60F8B632046CD009DB))
Sep 13 15:01:10 mail-gw postfix/qmgr[23479]: C35E760DEA: removed

ping to 89.185.85.214 shows it's serverizh.aeza.network

common part is that source IP's reverse DNS ends with 'something.aeza.network'
Is it possible to block everything with rDNS ending with aeza.network?

Stoiko Ivanov · Sep 16, 2022

TauriRed said:
Sep 15 23:03:22 mail-gw postfix/smtpd[292986]: warning: hostname enchanting-part.aeza.network does not resolve to address 45.138.74.205

I think this should be addressed by simply activating 'Reject Unknown Clients' in GUI->Configuration->Mail Proxy->Options

See the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_mailfilter
(this translates to enabling reject_unknown_client_hostname in smtpd_sender_restrictions in the postfix config):
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions

if you really only want to block based on a rdns match ... check the postfix link above - `check_reverse_client_hostname_access ` might be what you're looking for

I hope this helps!

Search

Search

block by partial dns name

TauriRed

Member

Stoiko Ivanov

Proxmox Staff Member